Clear admin kubeconfig when rotating certs (#1772)

* Clear admin kubeconfig when rotating certs * Update main.yml

Clear admin kubeconfig when rotating certs (#1772)
ee83e874 · Matthew Mosesohn · GitHub · 27ed73e3 · ee83e874 · ee83e874
Commit ee83e874 authored 7 years ago by Matthew Mosesohn Committed by GitHub 7 years ago
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -28,6 +28,9 @@
  template:
    src: admin.conf.j2
    dest: "{{ kube_config_dir }}/admin.conf"
+    owner: root
+    group: "{{ kube_cert_group }}"
+    mode: 0640
  when: not kubeadm_enabled|d(false)|bool
 - name: Create kube config dir
@@ -50,7 +53,6 @@
    dest: "{{ artifacts_dir }}/admin.conf"
    flat: yes
    validate_checksum: no
-  become: no
  run_once: yes
  when: kubeconfig_localhost|default(false)

--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -46,5 +46,16 @@
  delay: 6
 - name: Master | set secret_changed
+  command: /bin/true
+  notify:
+    - Master | set secret_changed to true
+    - Master | clear kubeconfig for root user
+- name: Master | set secret_changed to true
  set_fact:
    secret_changed: true
+- name: Master | clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent
--- a/roles/kubernetes/secrets/handlers/main.yml
+++ b/roles/kubernetes/secrets/handlers/main.yml
 ---
 - name: set secret_changed
+  command: /bin/true
+  notify:
+    - set secret_changed to true
+    - clear kubeconfig for root user
+- name: set secret_changed to true
  set_fact:
    secret_changed: true
+- name: clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent